In a first for both cybersecurity and securities law, a ransomware company filed a complaint with the U.S. Securities and Exchange Commission (“SEC”) against its own hacking victim for failure to disclose the hack itself. The move is akin to a car thief suing their victim for failing to report the stolen car to their insurer.
The ransomware company, known as AlphV/Black Cat (“AlphV”), a Russian-based group, confirmed to Databreaches.net that they made the report to the SEC, alleging MeridianLink failed to comply with the SEC’s upcoming cyberattack disclosures rules. AlphV is a well-known cyberattacker, having previously gained notoriety for attacks against major casinos and hotels.
As we have covered previously on Aug. 2, 2023, and Aug. 21, 2023, the SEC’s forthcoming cybersecurity rules do not actually take effect until December, but the incident sheds light on an emerging concern for the cybersecurity industry: cyber criminals are sophisticated, well-resourced, and will be closely following companies’ disclosures around cyberattacks to help them target future victims and assert maximum leverage, especially where ransomware is concerned.